Business Central (SAAS) Security

Business Central is a cloud service with a global reach and scale running on one of the world's largest hyper-scale infrastructures, Microsoft Azure.

Business Central is part of Microsoft Dynamics 365 (SAAS) family business management solutions. Business Central is designed for small and mid-sized organizations that automates and streamlines business processes and helps you manage your business.

Highly adaptable and rich with features, Business Central enables companies to manage their business, including finance, manufacturing, sales, shipping, project management, services, and more. Companies can easily add functionality that is relevant to the region of operation, and that is customized to support even highly specialized industries. Read more.

A business solution must have a built-in security system that helps protect your database, and the information that it contains, from unauthorized access. It must also allow you to specify what authenticated users are allowed to do in the database, such as what data they can read and modify. Read more.

1. Microsoft Product Terms

Online Services Data Protection Addendum (DPA)

When you subscribe to an Online Service under the terms of the Product Terms, the data processing and security terms are defined in Microsoft Online Services Data Protection Addendum (DPA). The DPA is an addendum to the Product Terms (and formerly OST). The current and archived editions of the DPA are available for download here.

Services Provider Use Rights (SPUR)

The Services Provider Use Rights (SPUR) provides details on how products acquired through the Microsoft Services Provider License Agreement (SPLA) may be used. The downloadable Word document versions of the current and archived editions of the SPUR will continue to be available for download here.

Service Level Agreements for Microsoft Online Services (SLA)

The Service Level Agreements (SLA) describe Microsoft’s commitments for uptime and connectivity for Microsoft Online Services. The current and archived editions of the SLA are available for download here.

2. Service Compliance

Running a cloud service imposes the need to conform to certain standards in security and compliance, so from a service perspective Business Central lives up to the strict requirements in several ISO and industry specific certifications: ISO 27001, ISO 27017, ISO 27018, SOC 1 (SSAE18) Type 2, SOC 2 Type 2, HIPAA BAA, EU-US Privacy Shield, EU Model Clauses, FERPA. Read more.

You can download certificates here

3. Infrastructure

SAAS - Software as a Service, part of Microsoft Dynamics 365 business management solutions. Business Central is a cloud service with a global reach and scale running on one of the world's largest hyper-scale infrastructures, Microsoft Azure. Read more.

4. Country where data will be stored

Data center where data are stored depends on client's Microsoft tenant region. Lithuanian tenants are stored in data center in Ireland (North Europe Azure region). Read more.

5. Authentication

Business Central online uses only Azure Active Directory (Azure AD) as the authentication method. M365 Users can be invited to connect to Business Central from another Microsoft tenant. Read more.

6. Data isolation and encryption

Data belonging to a single tenant is stored in an isolated database and is never mixed with data from other tenants. This ensures complete isolation of data in day-to-day use and in backup/restore scenarios. Furthermore, Business Central uses encryption to help protect tenant data in the following ways:
• Data at rest is encrypted by using Transparent Data Encryption (TDE) and backup encryption.
• Data backups are always encrypted.
• All network traffic inside the service is encrypted by using industry-standard encryption protocols.

7. Data Security

The Business Central security system allows you to control which objects or tables a user can access within each database. You can specify the type of access that each user has to these objects and tables, whether they are able to read, modify, or enter data.

You can specify which records are stored in the tables that each user is allowed to access. This means that permissions can be allocated at both the table level and the record level.

The security system contains information about the permissions that have been granted to each user who can access a particular database.

This information includes the roles that the users have been assigned, as well as any permissions that they have been granted to individual users.

There are four different levels of security:
• Database
• Company
• Object
• Record
Graphically, these can be represented as the layers, where the central layer is the records in the database. Read more.

8. Backup

Protecting your business-critical ERP data in Dynamics 365 Business Central environments and providing continuous availability of the service are extremely important to our customers. All your online environments are backed up. System backups occur continuously by the underlying technology used by the Business Central service: Azure SQL Database.

Business Central local and delegated administrators (partners) can restore any environment (sandbox and production) to a certain point in time (to a minute) up to 30 days in the past. We recommend contacting partner to perform data restore. Read more.

9. Business continuity and disaster recovery

Microsoft provides disaster recovery for production environments of Dynamics 365 software as a service (SaaS) applications for business continuity if there's an Azure region-wide outage. Read more.

10. Auditing Changes in Business Central

10.1 Log of operations

The Business Central admin center will show a log of operations, performed by the customer admins and delegated admins (partners) in the admin center and through the admin center API. The log will initially include the operations that we enable with this release:

• Renaming environments
• Restoring environments
• Updating apps (pending)

The admins will be able to see which operations were created, when, and by whom. We will also surface detailed error messages in this log, should any operation fail.

10.2 Data change log

A common challenge in many business management applications is avoiding unwanted changes in data. It could be anything from an incorrect customer telephone number to an incorrect posting to the general ledger.

The change log lets you track all direct modifications a user makes to data in the database. You specify each table and field that you want the system to log, and then you activate the change log. The change log is based on changes that are made to data in the tables that you track.

You can use the Monitor Field Change Setup assisted setup guide to specify the fields that you want to monitor based on filter criteria. You can specify the person who will receive an email notification when a change occurs. Read more.

10.3 Telemetry

Business Central emits telemetry data for various activities and operations on environments and apps/extensions. Monitoring telemetry gives you a look at the activities and general health of your environments/apps, so you can diagnose problems and analyze operations that affect performance. Azure Application Insights is a service hosted within Azure that gathers telemetry data for analysis and presentation. Whether running Business Central online or on-premises, you can set your tenants up to send telemetry to Azure Application Insights. Read more

11. Administration Center

The Business Central administration center provides a portal for administrators to do administrative tasks for a Business Central tenant. Internal administrators are users who are assigned the Global admin role or the Dynamics 365 Admin role in the Microsoft 365 admin center. These users are typically system administrators, IT professionals, or super users at the customer's company.

In the administration center, you can create and monitor environments. This is also where you manage the people who must be notified of administrative events for your tenant. Read more.

12. Partner (Softera) privileges

Granular delegated admin privileges (GDAP) capabilities allow partners to control access to their customers' workloads in order to better address their security concerns. Partners can offer more services to customers who may be uncomfortable with the current levels of partner access.

GDAP is a security feature that provides partners with least-privileged access following the Zero Trust cybersecurity protocol. It lets partners configure granular and time-bound access to their customers' workloads in production and sandbox environments. This least-privileged access needs to be explicitly granted to partners by their customers. Least-privileged access needed for Softera to setup environment and be able to support users is D365 Administrator. If Customer would like Softera to assign Business Central licenses to users, License Administrator permission is needed. Read more.

13. System updates

New capabilities roll out in release waves that consist of a major update and monthly minor updates. Most capabilities are made available in major updates twice a year in October and April, but some become available in minor updates. Critical fixes roll out as soon as possible after they pass tests and have been verified in Microsoft's protected staging environment.

Microsoft is committed to delivering predictable updates to the service. Updates are continuous, touchless updates that provide new features and functionality. They eliminate the need to do expensive upgrades every few years. Administrators can set a maintenance window for each environment that determines when Microsoft is allowed to update that environment. Read more.

14. Sandbox

With Business Central online, you can easily get a safe environment where you can test, train, or troubleshoot without disturbing your company's work processes or business data. Such a non-production environment is called a sandbox. Isolated from production, a sandbox environment is the place to safely explore, learn, demo, develop, and test the service without the risk of affecting the data and settings of your production environment. Read more.

15. Penetration testing

All penetration tests must follow the Microsoft Cloud Penetration Testing Rules of Engagement. Read more.

Latest penetration test

16. Exporting Databases

From the Business Central administration center, you can export the database for Business Central online environments as BACPAC files to an Azure storage container. Read more.

17. Data access when a subscription expires

When a subscription expires, two special periods kick in:
• Grace period
• Data retention period
The grace period is a period of 30 days when the customer can still access the product without any restrictions. After the grace period, the subscription enters the data retention period, which is another 90 days during which only the admin users of the Azure Active Directory tenant can login into the product. After those 90 days, Microsoft deletes the data automatically. Read more.